How-to: Use aws-vault to manage credentials for an AWS account

This article kicks off a series of posts describing how to use aws-vault, a third party tool that helps engineers store and use AWS credentials securely in their local development and operational environments. The series will cover:

installing aws-vault and using it to manage credentials for an AWS account and using aws-vault to execute commands with those credentials safely

assuming a role in an AWS account using short-term credentials

assuming a role across AWS accounts by authenticating to one account and using those credentials to assume a role in another

Update: We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously. Check out how k9 can help you Go Fast, Safely.

Ok, let’s go!

This how-to describes installation and use of aws-vault, a third party tool that manages credentials for an AWS account.

Step-by-step guide

You may need to change the file’s permissions so that it is executable.

Rename the executable file to “aws-vault” and ensure that it is in your path.

To display the usage format, list of flags, and list of commands, enter either of the following commands:

$ aws-vault
$ aws-vault --help

To store AWS credentials for use, enter:

$ aws-vault add <profile>

Multiple profiles can be created by using this command repeatedly.

Three prompts will appear:

The Access Key ID and Secret Key are those associated with your AWS account.

The passphrase is one that you create. You will need to enter this passphrase each time you execute a command using temporary credentials. This example shows a Linux variation of the workflow (OS X will use the macOS Keychain).

Further Reading

Learn DevOps & Cloud Practices

Learn how to design, build, and operate systems in the Cloud one day and concept at a time. Receive #NoDrama articles in your inbox whenever they are published. Reply to Stephen and the QualiMente team when you want to dig deeper into a topic.